configuration cisco 871 & vpn

Discussion in 'Cisco' started by strippone@hotmail.com, Dec 13, 2006.

  1. Guest

    Hi all,
    I'm new in cisco routers. I've done a config of this 871 router via
    sdm. Nat is working properly from inside I'm able to work. I've problem
    with vpn clients. I'v set up an easy vpn server and I'm able to connect
    from a 56k modem vpn client 4.8.01.03 but I'm not able to ping my local
    lan from the client. I'm connected and I'm seeing the connection
    estabilshed, I've the ip and dns but not able to ping nor to traceroute
    from the client and from inside to the client. I'm pretty sure is a
    problem with the routing. Can anyone help me
    This is the config:

    !This is the running config of the router: 192.168.101.8
    !----------------------------------------------------------------------------
    !version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname gateway
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 <password>
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    !
    aaa session-id common
    !
    resource policy
    !
    clock timezone PCTime 1
    clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
    ip subnet-zero
    no ip source-route
    ip cef
    !
    !
    !
    !
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name bruker.it
    ip name-server 192.168.101.4
    ip name-server 192.168.101.5
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    !
    !
    crypto pki trustpoint TP-self-signed-2998182843
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2998182843
    revocation-check none
    rsakeypair TP-self-signed-2998182843
    !
    !
    crypto pki certificate chain TP-self-signed-2998182843
    certificate self-signed 01
    <SNIP>
    quit
    username amm privilege 15 <password>
    username external secret 5 <password>!
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group bruker-out
    key <mykey>
    dns 192.168.101.4 192.168.101.5
    domain mydomayin.com
    pool SDM_POOL_1
    acl 102
    netmask 255.255.0.0
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set security-association idle-time 3600
    set transform-set ESP-3DES-SHA
    reverse-route
    !
    !
    crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    !
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    description $FW_OUTSIDE$$ES_WAN$
    ip address my-public-ip netmasc
    ip access-group 101 in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect DEFAULT100 out
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    crypto map SDM_CMAP_1
    !
    interface Vlan1
    description
    ip address 192.168.101.8 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    ip local pool SDM_POOL_1 192.168.106.0 192.168.106.10
    ip local pool SDM_POOL_1 192.168.101.50 192.168.101.60
    ip classless
    ip route 0.0.0.0 0.0.0.0 public-gateway
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4
    overload
    !
    logging trap debugging
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.101.0 0.0.0.255
    access-list 100 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip 85.18.35.224 0.0.0.7 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any log
    access-list 101 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit ip host 192.168.101.50 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.101.51 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.101.52 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.101.53 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.101.54 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.101.55 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.101.56 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.101.57 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.101.58 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.101.59 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.101.60 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.106.0 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.106.1 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.106.2 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.106.3 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.106.4 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.106.5 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.106.6 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.106.7 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.106.8 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.106.9 192.168.0.0 0.0.255.255
    access-list 101 permit ip host 192.168.106.10 192.168.0.0 0.0.255.255
    access-list 101 permit udp any host <public-addr> eq non500-isakmp
    access-list 101 permit udp any host <public-addr> eq isakmp
    access-list 101 permit esp any host <public-addr>
    access-list 101 permit ahp any host <public-addr>
    access-list 101 permit udp host 192.168.101.5 eq domain host
    <public-addr>
    access-list 101 permit udp host 192.168.101.4 eq domain host
    <public-addr>
    access-list 101 deny ip 192.168.101.0 0.0.0.255 any
    access-list 101 permit icmp any host <public-addr> echo-reply
    access-list 101 permit icmp any host <public-addr> time-exceeded
    access-list 101 permit icmp any host <public-addr> unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    access-list 102 remark SDM_ACL Category=4
    access-list 102 permit ip 192.168.0.0 0.0.255.255 any
    access-list 102 permit ip 192.168.106.0 0.0.0.255 192.168.101.0
    0.0.0.255 log
    access-list 103 remark SDM_ACL Category=2
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.101.50
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.101.51
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.101.52
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.101.53
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.101.54
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.101.55
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.101.56
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.101.57
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.101.58
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.101.59
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.101.60
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.106.0
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.106.1
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.106.2
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.106.3
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.106.4
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.106.5
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.106.6
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.106.7
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.106.8
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.106.9
    access-list 103 deny ip 192.168.0.0 0.0.255.255 host 192.168.106.10
    access-list 103 permit ip 192.168.101.0 0.0.0.255 any
    no cdp run
    !
    route-map SDM_RMAP_1 permit 1
    match ip address 103
    !
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    no modem enable
    transport output telnet
    line aux 0
    transport output telnet
    line vty 0 4
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp clock-period 17175142
    ntp server 192.168.101.5 source Vlan1 prefer
    end
    , Dec 13, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A
    Replies:
    4
    Views:
    606
  2. brane

    cisco 871 vpn split tunnel

    brane, Jun 19, 2007, in forum: Cisco
    Replies:
    0
    Views:
    582
    brane
    Jun 19, 2007
  3. Vincent

    Windows XP -- Cisco 871 VPN

    Vincent, Jul 24, 2007, in forum: Cisco
    Replies:
    1
    Views:
    521
    Chad Mahoney
    Jul 24, 2007
  4. persepolis77

    VPN issue with Cisco 871

    persepolis77, Apr 2, 2008, in forum: Cisco
    Replies:
    1
    Views:
    4,841
    rob_67
    Apr 2, 2008
  5. TimParker
    Replies:
    3
    Views:
    2,040
    TimParker
    Mar 14, 2009
Loading...

Share This Page